Today, 10 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision. .. Following Google’s vulnerability disclosure policy, we will wait 90 days before releasing code that allows anyone to create a pair of PDFs that hash to the same SHA-1 sum given two distinct images with some pre-conditions.

So it seems the attack is not generalizable for all scenarios at this point in time (and we'll not yet see a collision for, say, a SHA-1 certificate hash), but that's how things started to go bad for MD5 too...